Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
0
Helpful
2
Replies

ASA config for MX records

Go to solution
jwilder01
Level 1
Level 1

‎03-26-2015 08:50 AM - edited ‎02-21-2020 05:26 AM

I need help addressing ASA config.

They are trying to implement a Barracuda spam filter (10.1.0.11) for inbound SMTP traffic before it arrives to their Exchange (10.1.0.6).  Their MX record points to x.x.51.131.
Right now I have a static route for this:
ASA# sh run | inc static
static (Inside,outside) x.x.51.131 10.1.0.6 netmask 255.255.255.255
ASA#


If I revise the NAT to PAT and direct inbound as follows:
static (Inside,outside) tcp x.x.51.131 smtp 10.1.0.11 smtp netmask 255.255.255.255  (inbound smtp to spam filter)
static (Inside,outside) tcp x.x.51.131 https 10.1.0.6 https netmask 255.255.255.255  (https for OWA to exchange server)

When I do this, outbound email begins being sent with x.x.221.50 (circuit IP – untrusted for mail) in the header, instead of x.x.51.131 (mx record IP, trusted source) and starts getting bounced back by external spam sources.

How do I make sure I can direct inbound and still have outbound delivery carry the MX IP?  They tell me the Barracuda spam filter does not send out email, only receives inbound.  The exchange server is the only one that sends email outbound via the ASA.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Evgeny Taskaev
Level 1
Level 1

‎04-03-2015 12:40 AM

Hello

In additional to your static rules:
static (Inside,outside) tcp x.x.51.131 smtp 10.1.0.11 smtp netmask 255.255.255.255  
static (Inside,outside) tcp x.x.51.131 https 10.1.0.6 https netmask 255.255.255.255  

you should write a source rule like this:

access-list NAT-MAIL-OUT extended permit tcp host 10.1.0.6 any eq smtp 

nat (inside) 99 access-list NAT-MAIL-OUT

global (outside) 99 x.x.51.131

NAT rule "nat (inside) 99 access-list NAT-MAIL-OUT" must be before then more general rule which translates any outbound traffic for 10.1.0.6 to x.x.221.50.
So you should reorder you nat rules in configuration.

For example, it works:
nat (inside) 99 access-list NAT-MAIL-OUT
nat (inside) 1 access-list NAT

It does not work:
nat (inside) 1 access-list NAT
nat (inside) 99 access-list NAT-MAIL-OUT


Also you can use more simpler ACL for translate any outbound traffic for 10.1.0.6, not only SMTP:
access-list NAT-MAIL-OUT extended permit ip host 10.1.0.6 any 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Evgeny Taskaev
Level 1
Level 1

‎04-03-2015 12:40 AM

Hello

In additional to your static rules:
static (Inside,outside) tcp x.x.51.131 smtp 10.1.0.11 smtp netmask 255.255.255.255  
static (Inside,outside) tcp x.x.51.131 https 10.1.0.6 https netmask 255.255.255.255  

you should write a source rule like this:

access-list NAT-MAIL-OUT extended permit tcp host 10.1.0.6 any eq smtp 

nat (inside) 99 access-list NAT-MAIL-OUT

global (outside) 99 x.x.51.131

NAT rule "nat (inside) 99 access-list NAT-MAIL-OUT" must be before then more general rule which translates any outbound traffic for 10.1.0.6 to x.x.221.50.
So you should reorder you nat rules in configuration.

For example, it works:
nat (inside) 99 access-list NAT-MAIL-OUT
nat (inside) 1 access-list NAT

It does not work:
nat (inside) 1 access-list NAT
nat (inside) 99 access-list NAT-MAIL-OUT


Also you can use more simpler ACL for translate any outbound traffic for 10.1.0.6, not only SMTP:
access-list NAT-MAIL-OUT extended permit ip host 10.1.0.6 any 

0 Helpful

Go to solution
jwilder01
Level 1
Level 1
In response to Evgeny Taskaev

‎04-03-2015 10:02 AM

Thank you so much!

 

Jason

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card